I have configured AWS Cognito Authentication using Google as an Identity provider and am trying to get this to work as an OAuth Client for Account linking in Google Actions.
I have set up a User Pool in AWS Cognito and Google as a Federated identity provider in the User pool. The creation of a user account in the AWS Cognito user pool using a Google account is working fine, so it appears that the user pool is configured correctly.
I have created an App Client in the AWS Cognito User pool to get the Client ID and Client Secret that are used in the Google Actions OAuth Client setup.
This setup was tested and got an error when trying to link, Add the device in the Google Home App.
- I am able to select the device
- I'm then taken to the AWS Cognito OAuth page
Hosted UI for the client that Google Actions uses - Select a Google Account that I am signed into on my phone
I have tried 3 different Google accounts, all have been added as Test users in the Google OAuth App setup - The user is created in the AWS Cognito User Pool
- I get redirected back to the Google Home App and get the following error
Could not reach "[test] my-app". Please try again. - I get two error logs in the Google Cloud Logs Explorer, one for the “Google Assistant Action” and one for the “Google Assistant Action Project”.
The main error is relating to the “Google Assistant Action” and is:
SYNC: Request ID 13069595105448654396 failed with code: INVALID_AUTH_TOKEN
I have tried setting up an Identity Pool with an Authenticated role that has the AWS Cognito Pool used above as the Identity provider, but I get the same results as when there is no Identity Pool.
I’m not sure if the Identity Pool is needed, or if I have not set it up correctly, or if the Google Identity provider has been set up incorrectly.
I have tried setting up the Google Federated identity provider in the AWS Cognito User Pool using both the AWS provided Identity Provider for Google and as a custom OIDC provider, but get the same results.
I have checked all the questions relating to Google Actions account linking, but none of them are using AWS Cognito with Google as an OAuth provider and I’m hoping that I’m missing something simple.
AWS Cognito User pool Idp
AWS Cognito User pool Idp
AWS Cognito User pool - Google
AWS Cognito User pool - Google
AWS Cognito User pool - Google OIDC
AWS Cognito User pool - Google OIDC
AWS Cognito User pool - Apps
AWS Cognito User pool - Apps
Google Actions - OAuth Config
Google Actions - OAuth Config
Google Cloud - OAuth Client App
Google Cloud - OAuth Client App
Google Cloud - Error Log
Google Cloud - Error Log
